Install and Configure Cloud Director App Launchpad

In continuation of my last post on the same topic, in this post we will deploy and configure Cloud Director App Launchpad.

With App Launchpad VMware cloud providers can now deliver their own catalog based applications or VMware Cloud Marketplace certified 3rd party Cloud Applications, and Bitnami catalog applications directly to customers through a simple catalog interface from a VMware Cloud Director plugin. This capability allows Cloud Providers to deliver application Platform as a Service to customers who needn’t know anything about the supporting infrastructure for the catalog applications they deploy.

NOTE – In this release Tenant using App Launchpad 1.0, can launch single-VM applications.

Prerequisites for App Launchpad Installation

Before we install and configure App Launchpad, it requires few external components and supports specific versions that you must deploy and configure.

  • Create a new Virtual Machine with below requirement
    • 14
  • Ensure Rabbit MQ is installed and configured under Cloud Director extensibility before deploying App Launchpad.
  • Inside same Rabbit MQ Server create a new Exchange with type as “direct” and a dedicated AMQP user that has full permissions to the virtual host of the AMQP broker.

    • This slideshow requires JavaScript.

Install Cloud Director App Launchpad

Deployment of  App Launchpad can be done by installing an RPM package on a dedicated Linux virtual machine.Download Application Launchpad from here and transfer the file to ALP server and installation is very simple process:

  • Open an SSH connection to the installation target Linux virtual machine and log in by using a user account with sufficient privileges to install an RPM package.
  • Install the RPM package by running the installation command.
    • yum install -y vmware-vcd-alp-1.0.0-1593616.x86_64.rpm
    • 16

Connect App Launchpad with Cloud Director

To configure App Launchpad with Cloud Director, we will use the alp command line utility. By using this utility:

  • We will establish a connection between App Launchpad and VMware Cloud Director
  • Define or create the App-Launchpad-Service account
  • and install the App Launchpad user interface plug-in for VMware Cloud Director.
  • The alp connect command also configures App Launchpad with your AMQP broker.
  • #alp connect --sa-user alpadmin --sa-pass <PASSWORD> --url --admin-user admin@system --admin-pass <PASSWORD> --amqp-user alp --amqp-pass <PASSWORD> force --amqp-exchange alpext
  • Accept “EULA” and “certificate”
    • 17
  • if you have put correct information then it should show successfully configured
  • Restart ALP service using
    • #systemctl restart alp
  • You can run #alp show to verify the connection
    • 18

Configure App Launchpad

  • Now you can go to Cloud Director and check installed ALP plugin in Cloud Director.
    • 5
  • Click on “LAUNCH SETUP” to configure it to offer Applications as a Service
  • If you want to configure the infrastructure for App Launchpad automatically, select Yes and software will setup everything automatically.
    • n14
  • In case you chosen “No i will set it up on my own”, pre-requisite you need to setup manually.
    • n15
  • App Launchpad supports the use of applications from the Bitnami applications catalog that is available in the VMware Cloud Marketplace.

    You can also create catalogs of your custom, in-house applications and configure App Launchpad to work with these catalogs.

  • Create sizing templates for the applications.
    1. Enter a name for the sizing template.
    2. Enter a vCPU count, a memory size (in GB), and a disk size (in GB)
  • To complete the initial configuration of App Launchpad, click Finish.
    • This slideshow requires JavaScript.

  • If everything is goes fine and have enough resources in Cloud Director , you will see “App Launchpad Setup Complete”
    •  19

Onboarding Bitnami Applications

VMware Cloud providers can import applications from the Bitnami applications catalog that is available in the VMware Cloud Marketplace. To begin, provider must log in to the VMware Cloud Marketplace and subscribe to the Bitnami application you wish to deploy. Follow these steps:

  • Log in to the VMware Cloud Marketplace.
  • From the “Catalog” page, find the Bitnami application you wish to deploy (With App Launchpad 1.0, tenant users can only run single-VM applications) and select it to subscribe.
  • On the “Settings” page, choose “VCD” as the platform and select the correct version. Set the subscription type to “BYOL”. Click “Next” to proceed.

    • This slideshow requires JavaScript.

  • The subscription will now be added to your Cloud Director App Launchpad organization , which tenants can use it.
  • Make sure the “App Launchpad” organization has right permission.
    • n16

Onboarding In-house Applications

Cloud Provider can also add your own in-house applications to the content library of the “AppLaunchpad" provider organization and upload your applications manually , to do so

  • Provider admin need to Navigate to the “Content Libraries -> vApp Templates” page and click on “NEW”..
    • t2
  • By default, in-house applications neither has logo nor has summary.
    • t3

To give these apps better user experience, service provider can set metadata on vApp templates by GUI or vCloud API , here is GUI Way to do so:

  • Go to Content Library and click on application which you have recently updated and go to metadata and click on “Edit” and add following items:
    • t4
    • title – Title of Application
    • summary – Summary of Application which will be displayed on Application tile.
    • Description – Description of Application
    • version – Displays version number of Application.
    • logo – Provider can choose a logo using Internal/External web location like S3.
    • screenshot – Provider can choose default snapshot using Internal HTTP/HTTPs server or External web location like S3
  • t5

This completes the installation and configuration of Cloud Director App Launchpad and as i said in my last post – App Launchpad is a free component for VMware Cloud Director, and doesn’t necessitate the use of Bitnami catalogs, providers can use their own appliances, so go ahead and give it a try, start delivering a PAAS like solutions to your Tenants.






VMware Cloud Director Encryption -PartIII

In the Part-1 & Part-2 we configured HyTrust KeyControl Cluster & vCenter, In this post we will configure Cloud director to utilize what we have configured till now…

Attach Storage Policy to Provider VDC

To update the information in the vCloud Director database about the VM storage policies which we had created in underlying vSphere environment, we must refresh the storage policies of the vCenter Server instance.

  • Login to Cloud Director with cloud admin account and go to vSphere resources and choose vCenter on which we had created policies and click on “REFRESH POLICIES”
    • 7
  • You can add a VM storage policy to a provider virtual data center, after which you can configure organization virtual data centers backed by this provider virtual data center to support the added storage policy.
    • Login to Cloud Director, go to Provider VDCs and choose PVDC which is backed by the cluster where we had created storage policies.
    • Click on “ADD”
    • 8
  • Choose the Policy that we created in previous post.
    • 9
    • 10

Attach Storage Policy to Organization VDC

You can configure an organization virtual data center to support a VM storage policy that you previously added to the backing provider virtual data center.

  • Now click on Organization VDCs, and click the name of the target organization virtual data center like 
    • 11
  • Click the Storage tab, and click Add.
    • 12
  • You can see a list of the available additional storage polices in the source provider virtual data center
  • Select the check boxes of one or more storage policies that you want to add, and click Add.
    • 13

Self Services Tenant Consumption

When Provider’s tenant try to create a VM/vAPP (A virtual machine can exist as a standalone machine or it can exist within a vApp) , he can use the encryption policy that we have created previously.

  • This is new VM creation wizard from template , Tenant user must choose “use custom storage policy” and select the “encryption policy”
    • 14
  • Once VM is provisioned , user can go and check the Storage policy by clicking on VM.
    • 15
  • User can also go in to “Hard Disk” section of VM and check disk policy.
    • 16

Encrypt Named Disks

Named disks are standalone virtual disks that you create in Organization VDCs.When you create a named disk, it is associated with an Organization VDC but not with a virtual machine. After you create the disk in a VDC, the disk owner or an administrator can attach it to any virtual machine deployed in the VDC. The disk owner can also modify the disk properties, detach it from a virtual machine, and remove it from the VDC. System administrators and organization administrators have the same rights to use and modify the disk as the disk owner.

  • Here we will create a new encrypted “Named Disk” by choosing storage policy as “Encryption Policy”.
    • 17
  • Cloud Director allow users to connect these named disks
  • Click the radio button next to the name of the named disk that you want to attach to a virtual machine, and click Attach
  • From the drop-down menu, select a virtual machine to which to attach the named disk, and click Apply.
    • 1819

This competes three part Cloud Director encryption configuration and use by the tenants , this features enables VMware Cloud Providers new offering and monetisation opportunities, go ahead , deploy and start offering additional/deferential services.

VMware Cloud Director Encryption -PartII

In the Part-1 we configured HyTrust KeyControl Cluster , In this post we will configure this cluster in vCenter and configure encryption for Virtual Machines. Let’s create a certificate on KMS server, which we will use to authenticate with vCenter.

Create Certificate

To create certificate , login to KMS server and go to KMIP

  • Click on “Client Certificates”
  • Then click on Actions and “Create Certificates”
    • 20
  • Enter the required details for creating certificate and click on create.
    • 21

Configure KMS with vCenter

  • Highlight the newly created certificate, click the Actions dropdown button, then click the Download Certificate option. This will download the certificate created above. A zip file containing the Certificate of Authority (CA) and certificate will be downloaded.
    • 22
  • Once you have downloaded Certificate , Log in to the VCSA, highlight the vCenter on the left hand pane, click on the configure tab on the right hand pane, click on Key Management Servers, then click the Add KMS button.
    • 23
  • Enter a Cluster name, Server Alias, Fully Qualified Domain Name (FQDN)/IP of the server, and the port number. Leave the other fields as the default, then click OK.
    • 26

Enable Trust between vCenter and KMS

  • Now we have to establish the trust relationship between vCenter and HyTrust KeyControl. Highlight the KeyControl appliance and click on Establish trust with KMS.
    • 27
  • Select the Upload certificate and private key option, then click OK.
    • 28
  • Click on Upload file button , browse to where the CA file was previously generated, select the “vcenter name”.pem file, then click Open.
  • Repeat the process for the private key by clicking on the second Upload file button and Verify that both fields are populated with the same file, then click OK.
    • 29
  • You will now see that the Connection status is shown as Normal indicating that trust has been established. Hytrust KeyControl is now set up as the Key Management Sever (KMS) for vCenter.
    • 25
  • Now we successfully add one Node of cluster , add another node by following the same steps..

Create Tag Category, Tag & Attach to Datastore

 Now we need to “Tag” few data stores which will hold these encrypted VMs , please create a “Tag Category” and a “Tag” in the vcenter and tag the data stores with this “Tag”.

This slideshow requires JavaScript.

Create Storage Profile

  • log into vCenter > Home > Policies and Profiles > VM Storage Policies > Create VM Storage Policy > Give it a name > Next
  • Select “Enable host based rules” and select “Enable tag based placement rules”
  • Select “Storage Policy Component” and choose “Default Encryption Properties”.The default properties are appropriate in most cases. You need a custom policy only if you want to combine encryption with other features such as caching or replication.
  • Select “Tag Category” and choose Appropriate Tag.
  • View Data Stores,review the configuration and finish.

This slideshow requires JavaScript.

This completes vCenter Configuration, in the next post will be configuring cloud director to consume these policies and tenant will use these policies.


VMware Cloud Director Encryption- Part1

Latest Cloud Director 10.1 release adds support for VM Encryption using cloud director self service portal, this means it allow users to encrypt/decrypt VMs and disks via Cloud Director, view the encryption status of VMs and disks in the API as well as user interface. Some of the key features are:

  • Ability to encrypt VMs at rest through Cloud Director UI and API
  • Cloud Providers configure Key Management Service (KMS), and encryption policy in backend vSphere
  • Cloud Providers can choose to make VM encryption available for some or all tenant
  • Tenant users can choose to apply encryption policy to VMs or individual disks.
  • In case of Tenant Managed Dedicated vCenter then Tenant can manages Keys and VM Encryption

I am going to write three part blog posts , which will cover:

  • VMware Cloud Director Encryption – PartI
  • VMware Cloud Director Encryption – PartII
  • VMware Cloud Director Encryption – PartIII

Deploy KMS

With HyTrust KeyControl supports a fully functional KMIP server that can be deployed as a vSphere Key Management Server and once deployment is completed and a trusted connection between KeyControl and vSphere has been established, KeyControl can manage the encryption keys for virtual machines in the cluster that have been encrypted with vCenter Server for vSphere Virtual Machine Encryption or VMware VSAN Encryption.

In this post we will deploy HyTrust KeyControl KMS server and setup KMS Cluster..There are two methods for installation of Key Control… either we can use OVA appliance or another Method to use ISO. in this Post we will use OVA method..

  • Open your vSphere Web Client and Click on “Deploy OVF Template”.
    • 1.png
  • Choose OVF
    • 2
  • Provide Name for the HyTrust KeyControl Appliance, select a deployment location, then click Next.
    • 3.png
  • Select the vSphere cluster or host Where you would like to install the HyTrust KeyControl appliance on, then click Next.
    • 4.png
  • Review the details, then click Next.
    • 5.png
  • Select the proper configuration from the drop down menu, then click Next. ( i am using Demo as resources are less in my Lab)
    • 6.png
  • Select the preferred storage and disk format for the KeyControl appliance, then click Next.
    • 7.png
  • Select the appropriate network, enter appropriate network details then click Next.
    • 9.png
  • Review the summary screen, if everything is correct, click Finish.
    • 10.png
    • 11

Appliance deployment is successfully completed.. since i am going to setup a cluster , so i would go ahead and deploy another appliance using the same procedure

Configure KMS Cluster

Once Both the appliance has been deployed ,

  • Power on the newly created HyTrust KeyControl appliance.then open a console to the KeyControl appliance. Set the system password, then press OK.
    • 12.png
  • Since this is the First Node ,Select No, then press enter.
    • 13.png
  • Review the Appliance Configuration, then press OK.
    • 14.png
  • Now First KeyControl appliance is configured and you can now move to the KeyControl WebGUI. Open a web browser and navigate to the IP or FQDN of the KeyControl appliance. Use the the following credentials to initially log in:
    • Username: secroot
      Password: secroot
    • 15.png
  • After login , read and accept the EULA by clicking on I Agree at the bottom of the agreement.
    • 16.png
  • Enter a new password for the secroot account, then click Update Password.
    • 17
  • Now we successful setup our first Node..
    • 18
  • Power on the second appliance and follow all the steps as above , except.. Click “YES” Here.
    • 19.png
  • This will take us to the process of Cluster creation process..
    • 20.png
  • Enter the IP address of First Node.
    • 21.png
  • The final piece of information required is the passphrase. We would require a minimum of 16 characters.
    • 25.png
  • The node must now be authenticated through the webGUI, as the following message indicates:
    • 23
  • At this point you need to log on to the webGUI console of First Node with Administration privileges. The new KeyControl node will automatically appear as an unauthenticated node in the KeyControl cluster, as shown below:
    • 26.png
  • To authenticate this new node, click the Actions Button and then click Authenticate. This will take you to the authentication screen shown below. You are prompted to enter the Authentication Passphrase.
    • 2728.png
  • On the new KeyControl’s console, you will see a succession of status messages, as shown below:
    • 30.png
  • Once authentication completes, the KeyControl node is listed as Authenticated but Unreachable until cluster synchronisation completes and the cluster is ready for use. This should not take more than a minute or two. Then it will show as Authenticated and Online.Once the KeyControl node is available, the status will automatically move to Online and the cluster status at the top right of the screen will change back to Healthy.
    • 31.png

At this point, the new cluster/node is ready to use.

Enable KMS Service

  • Now Click on the KMIP button on the toolbar to configure the KMIP.
    • 32.png
  • Enable KMIP by changing the state from disabled to enabled, then click save, then click Apply.
    • NOTE: Take note of the port number 5696 and have it handy. You will specify this port number in the vCenter\VCSA configuration, later on.
  • Now we have successfully setup KMS Cluster.
    • 34.png

This completes process of KMS server installation , their configuration and KMS cluster creation and configuration. In the next post , we will use this cluster for vSphere to use as KMS server.

Deliver Applications as a Service on Cloud Director with App Launchpad

Cloud Director App Launchpad helps VMware Cloud Providers to offer their tenants a curated portfolio of applications for their consumption, without them having to know anything about VMware Cloud Director based? with the release of App Launchpad Cloud providers can elevate their portfolio from IAAS,CAAS to Applications as a Service.Cloud Provider can Offer in-house applications suited to verticals or solution areas, App Launchpad will help providers in offering all this  and also making it very easy for all customer personas like DevOps, Developers, IT admins to access and deploy applications to VMware Cloud Director

App Launchpad For Providers

VMware Cloud Providers can  configure App Launchpad to work with the following types of applications:

  • Bitnami Applications

    • Bitnami offers pre-configured, tested, and supported open source applications. Service Providers that subscribe to the Bitnami Community Catalog can access these applications from the VMware Cloud Marketplace also.
    • n8
  • Apps from VMware Cloud Marketplace

    • VMware Cloud Marketplace is a service that will allow our partners to easily publish solutions in a variety of formats – whether it’s containers or appliances or even SaaS, it  offers a range of ISV applications that a Service Provider can add to VMware Cloud Director and make available for consumption to their tenants using App Launchpad.
    • n9
  • In-house applications

    • Service provider can upload their own in house developed application vApps and can make it available to their tenants to consume with in seconds. providers will upload their own solution in AppLaunch Pad catalog and using an API call update catalogs description and logo and make it available to their choice of tenants using App LaunchPad.

Provider Onboarding Cloud Market Place Applications

To onboard Bitnami applications to App Launchpad, Cloud providers will have go to VMware Cloud Market Place and import the applications to the newly created Launchpad provider organization.

This slideshow requires JavaScript.

Provider Onboarding In-House Applications

To onboard custom, in-house applications, Providers will have to go to the content library of the newly created Launchpad provider organization and create catalog items and upload their applications. Provider will also need to add logo and description to these applications using an API, please refer for API calls.

Provider Tenant Access & Application Management

To make applications available to tenants, App Launchpad automatically creates a catalog of applications and publish it to a VMware Cloud Director organization. Provider can also configure the default application deployment settings at the VMware Cloud Director organization and organization virtual data center levels.

Using App Launchpad, Providers can control the visibility of application catalogs to tenant users , can define various T-Shirt sizes for the application, control the visibility of catalogs.

Provider can remove an application catalog from a VMware Cloud Director organization, the users in the organization can no longer use the applications in the catalog.

This slideshow requires JavaScript.

App Launchpad For Tenants

Using App Launchpad, Various Tenant personas like developers, IT admins , End users and DevOps engineers can launch applications to their organization virtual data center  in few seconds and start consuming immediately. Few of the key features are:

  • Curated catalog of applications for tenants
    • n3
  • 1-Click app Deployment for tenant users
    • n6
  • Automates VM creation, networking, firewalling, assigns IP , Tenant user does not need to worry about underlying infrastructure required to provision and access apps, just need to go to App LaunchPad – My Applications and here they can get access information and basic operations like:
    • Open Console
    • IP address
    • Actions like – power on/off , delete etc..
    • n7
  • For tenant consumers No knowledge of underlying infrastructure required to provision and access apps.

How to Start ?

It is very simple and easy process to install App launchpad , here is App Launch Pad Installation Pre-requisite:


NOTE – Linux Based Operating Cent OS 7 & Cent OS 8 are only Supported as of now.

For Detailed installation steps , please refer App Launchpad documentation here, i will also write few more posts on this topic.

App Launchpad is a free component for VMware Cloud Director, and doesn’t necessitate the use of Bitnami catalogs, providers can use their own appliances, so go ahead and give it a try, start delivering a PAAS solutions to your customers.



Quick & Easy Tenant OnBoarding using Cloud Director Terraform Provider

In continuation to my last two posts on using Terraform to automate various Cloud Director options, here is another one…In this post we are going to onboard a tenant using vCloud Director Terraform provider , (last post i did 5 steps) there are 12 steps that we are going to automate.Special thanks to my terraform for vCD Product Team who helped me in some of this stuff. 

Here is my old posts on similar topic.


  1. Create a new External Network
  2. Create a new Organization for the Tenant
  3. Create a new Organization Administrator for this Tenant
  4. Create a new Organization VDC for the Tenant
  5. Deploy a new Edge gateway for the Tenant
  6. Create a new Routed Network for the Tenant
  7. Create a new Isolated Network for the Tenant
  8. Create a new Direct Network for the Tenant
  9. Create Organization Catalog
  10. Upload OVA/ISO to Catalog
  11. Creating vApp
  12. Create a VM inside vAPP

Step-1: Code for Creating External Network

As you know External Network is a Tenant connection to the outside world, By adding an external network, you register vSphere network resources for vCloud Director to use. You can create organization VDC networks that connect to an external network. few important parameters to consider:

  • Resource Type – “vcd_external_network”
  • vsphere_network – This is Required parameter you need to provide a DV_PORTGROUP or Standard port group names that back this external network. Each referenced DV_PORTGROUP or NETWORK must exist on a vCenter server which is registered with vCloud Director.
  • Type
    • For dv Port Group , use Type – DV_PORTGROUP
    • For Standard Port Group , use Type – NETWORK
  • retain_net_info_across_deployments – (Optional) Specifies whether the network resources such as IP/MAC of router will be retained across deployments. Default is false.
#Create a new External Network for "tfcloud"
resource "vcd_external_network" "extnet-tfcloud" {
  name        = "extnet-tfcloud"
  description = "external network"
  vsphere_network {
    vcenter = "" #VC name registered in vCD
    name    = "VM Network"
    type    = "NETWORK"
  ip_scope {
    gateway    = ""
    netmask    = ""
    dns1       = ""
    dns2       = ""
    dns_suffix = ""
    static_ip_pool {
      start_address = ""
      end_address   = ""
  retain_net_info_across_deployments = "false"

Step-2: Code for New Organization

In this section , we are going to create a new organization named “tfcloud” which is enabled to use, This section creates a new vCloud Organisation by specifying the name, full name, description, VM Quota , vApp lease etc… Quota, lease etc..Cloud Provider must need to enter based on the commitment with tenant organization.

#Create a new org name "tfcloud"
resource "vcd_org" "tfcloud" {
  name              = "terraform_cloud"
  full_name         = "Org created by Terraform"
  is_enabled        = "true"
  stored_vm_quota   = 50
  deployed_vm_quota = 50
  delete_force      = "true"
  delete_recursive  = "true"
  vapp_lease {
    maximum_runtime_lease_in_sec          = 0
    power_off_on_runtime_lease_expiration = false
    maximum_storage_lease_in_sec          = 0
    delete_on_storage_lease_expiration    = false
  vapp_template_lease {
    maximum_storage_lease_in_sec       = 0
    delete_on_storage_lease_expiration = false

Step-3: Code for Creating Organisation Administrator

Once as a provider you created Org, this org need an admin, below code will create local org admin. In this code everything is self explanatory but few important parameters explained here:

  • Resource Type – “vcd_org_user”
  • org & name – these are variable, referred in variable file.
  • role – role assigned to this user
  • password – initial password assigned
#Create a new Organization Admin
resource "vcd_org_user" "tfcloud-admin" {
  org               =
  name              = "tfcloud-admin"
  password          = "*********"
  role              = "Organization Administrator"
  enabled           = true
  take_ownership    = true
  provider_type     = "INTEGRATED" #INTEGRATEDSAMLOAUTH stored_vm_quota = 50 deployed_vm_quota = 50 }

Step-4: Code for Creating new Organization VDC

So till now we created External Network, Organization and Organization administrator , next is to create a organization virtual data center , so that tenant can provision VMs, Containers and Applications. few important configuration parameters to consider:

  • name – vdc-tfcloud
  • Resource Type – “vcd_org_vdc”
  • Org – referring org name created in previous step
  • Allocation Pool – Pay as you go (represented as “AllocationVApp”).
  • network_pool_name – Network pool name as defined during provider config.
  • provider_vdc_name – Name of Provider VDC name.
  • Compute & Storage – Define compute and storage allocation.
  • network_quota – Maximum no. of networks can be provisioned in to this VDC
# Create Org VDC for above org
resource "vcd_org_vdc" "vdc-tfcloud" {
  name = "vdc-tfcloud"
  org  =
  allocation_model  = "AllocationVApp"
  provider_vdc_name = "vCD-A-pVDC-01"
  network_pool_name = "vCD-VXLAN-Network-Pool"
  network_quota     = 50
  compute_capacity {
    cpu {
      limit = 0
    memory {
      limit = 0
  storage_profile {
    name    = "*"
    enabled = true
    limit   = 0
    default = true
  enabled                  = true
  enable_thin_provisioning = true
  enable_fast_provisioning = true
  delete_force             = true
  delete_recursive         = true

Step-5: Code for Creating Edge Gateway for Tenant

This next section creates a new vCloud Organization Edge Gateway by specifying the name, full name, and description. Provider configures an edge gateway to provide connectivity to one or more external networks.

  • Resource Type – “vcd_edgegateway”
  • Configuration – compact
  • Advanced – this will be an advance edge
  • distributed_routing – distributed routing is enabled
  • external_network – uplink information towards DC exit.
# Create Org VDC Edge for above org VDC
resource "vcd_edgegateway" "gw-tfcloud" {
  org                     =
  vdc                     =
  name                    = "gw-tfcloud"
  description             = "tfcloud edge gateway"
  configuration           = "compact"
  advanced                = true
  external_network {
     name =
     subnet {
        ip_address            = ""
        gateway               = ""
        netmask               = ""
        use_for_default_route = true

Step-6: Code for Creating Organization Routed Network

An organization VDC network with a routed connection provides controlled access to machines and networks outside of the organization VDC. System administrators (Providers) and organization administrators can configure network address translation (NAT) and firewall settings on the network’s Edge Gateway to make specific virtual machines in the VDC accessible from an external network. Things to consider:

  • resource -> must be of type “vcd_network_routed”
  • Define other networking information
# Create Routed Network for this org
resource "vcd_network_routed" "net-tfcloud-r" {
  name         = "net-tfcloud-r"
  org          =
  vdc          =
  edge_gateway =
  gateway      = ""
  static_ip_pool {
    start_address = ""
    end_address   = ""

Step-7: Code for Creating Org Isolated Network

An isolated organization VDC network provides a private network to which virtual machines in the organization VDC can connect. This network provides no connectivity to machines outside this organization VDC. Things to consider:

  • resource -> must be of type “vcd_network_isolated”
  • Define other networking information like ips etc
# Create Isolated Network for this org
resource "vcd_network_isolated" "net-tfcloud-i" {
  name    = "net-tfcloud-i"
  org     =
  vdc     =
  gateway = ""
  static_ip_pool {
    start_address = ""
    end_address   = ""

Step-8: Code for Creating Organisation Direct Network

This is restricted to System Administrator of vCloud Director Cloud Providers, A System Administrator can create an organization virtual datacenter network that connects directly to an IPv4 or IPv6 external network. VMs on the organization can use the external network to connect to other networks, including the Internet. Things to consider:

  • resource -> must be of type “vcd_network_direct”
  • Define other networking information
  • In this we are connecting directly to external network which created in step-1
# Create Direct Network for this org
resource "vcd_network_direct" "net-tfcloud-d" {
  name             = "net-tfcloud-d"
  org              =
  vdc              =
  external_network = "extnet-tfcloud"

Step-9: Code for Creating Organization Catalog

Catalog allow Tenant to group vApps and media files , in this step provider is providing a private catalog to tenant,Things to consider:

  • resource -> must be of type “vcd_catalog”
  • Define catalog related information information
# Create Default catalog for this org
resource "vcd_catalog" "cat-tfcloud" {
  org         =
  name        = "cat-tfcloud"
  description = "tfcloud catalog"
  delete_force     = "true"
  delete_recursive = "true"
  depends_on       = [vcd_org_vdc.vdc-tfcloud]

Step-10: Code for Uploading  OVA in to Catalog

It’s up to provider, they can upload few catalog items like .iso and .ova for tenants to consume in to above private catalog or can share with them public catalog, in this case we are uploading few items in to this private catalog.Things to consider:

  • resource -> must be of type “vcd_catalog_item”
  • ova_path -> it will be a path of your local directory to upload image.
  • Define catalog related information information
# Create Default catalog for this org
resource "vcd_catalog_item" "photon-hw11" {
  org     =
  catalog =
  name                 = "photon-hw11"
  description          = "photon-hw11"
  ova_path             = "/Users/tripathiavni/desktop/Sizing/photon-hw11-3.0-26156e2.ova"
  upload_piece_size    = 5
  show_upload_progress = "true"

Step-11: Code for Creating vAPP

In this step as a provider we are creating a vAPP which will hold few client binaries to run Container Service Extension. while creating vAPP things to consider:

  • resource -> must be of type “vcd_vapp”
  • ova_path -> it will be a path of your local directory to upload image.
  • Define catalog related information information
# Create vApp for this org
resource "vcd_vapp" "CSEClientVapp" {
  name             = "CSEClientVapp"
  org              =
  vdc              =
  # This dependency is must to avoid a lock during destroy
  depends_on = []

Step-12: Code for Creating Virtual Machine

In above vAPP , we will add a VM which is running Photon OS, while creating VM,  Things to consider:

  • resource -> must be of type “vcd_vapp_vm”
  • catalog_name -> Catalog that we created in above step.
  • Define other VM related information.
# Create Default catalog for this org
resource "vcd_vapp_vm" "CSEClientVM" {
  name         = "CSEClientVM"
  org          =
  vdc          =
  vapp_name    =
  catalog_name =
  template_name =
  cpus = 2
  memory = 1024
  network {
    name               =
    type               = "org"
    ip_allocation_mode = "POOL"

Putting it all together:

So i have put all this code in to a single file and also created a variable file, which will allow providers to on-board a new Tenant less then “5 minute” , provider admin just need to update few parameters in to the variable file like:

  • vcd_user -> Cloud Admin user name
  • vcd_pass -> Cloud Admin password
  • vcd_url -> Cloud Director provider URL


Once you input the parameters, run terraform plan and Apply the plan, this entire process should not take more than 10 minutes to complete.

  • Terraform Plan -out m4.tfplan
    • This slideshow requires JavaScript.

As you can see in above images terraform plan will add “12” items in to my Cloud Director.

  • Terraform apply “m4.tfplan”
    • This slideshow requires JavaScript.

Finally terraform created all the 12 resources that we expected it to create.


As described above all 12 tasks related to a Tenant on-boarding got successfully completed and if you notice highlighted boxes , everything is over in less than around 8 minutes including uploading an OVA isn’t it awesome ?

NOTE: There isn’t need to define org/vdc in every resource if it is defined in provider  unless you working with a few org/VDCs.

Here i am attaching variable and code file , which you can use it in your environment by just changing variable file contents which i explained above. pls try these files in to a non-prod environment and make your self comfortable before doing it in production. here is the full content of above to Download Please share feedback , suggestion any in the comment section…